Microsoft published earlier today the Patch Tuesday security bulletin for May 2018 , containing Vulnerability-related.PatchVulnerability fixes for 67 security issues . This month , Microsoft fixed Vulnerability-related.PatchVulnerability security flaws in Microsoft Windows , Internet Explorer , Microsoft Edge , ChakraCore , .NET Framework , Microsoft Exchange Server , Windows Host Compute Service Shim , and Microsoft Office and Microsoft Office Services and Web Apps . Microsoft patches Vulnerability-related.PatchVulnerability two zero-days The biggest issue patched Vulnerability-related.PatchVulnerability this month is a zero-day in Internet Explorer that has been abused by a cyber-espionage campaign earlier this month . The zero-day ( CVE-2018-8174 ) affects Vulnerability-related.DiscoverVulnerability not only IE but also any other projects that embed the IE web rendering engine . Microsoft credited researchers from both Qihoo 360 Core Security and Kaspersky Lab for discovering Vulnerability-related.DiscoverVulnerability this issue . The second zero-day is CVE-2018-8120 , an elevation-of-privilege vulnerability in the Win32k component . `` An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability this vulnerability could run arbitrary code in kernel mode . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights , '' Microsoft says . But the flaw is not as dangerous as it sounds , as an attacker already needs a foothold on Windows systems to run his malicious code in the first place , to elevate his access rights . Microsoft also patched Vulnerability-related.PatchVulnerability CVE-2018-8141 ( Windows Kernel Information Disclosure Vulnerability ) and CVE-2018-8170 ( Windows Image Elevation of Privilege Vulnerability ) , for which exploitation details became public . Despite info about these two flaws being published Vulnerability-related.DiscoverVulnerability online , Microsoft says Vulnerability-related.DiscoverVulnerability none were exploited Vulnerability-related.DiscoverVulnerability in the wild . Flash fixes also included Last but not least , the Microsoft May 2018 Patch Tuesday also included a patch for an Adobe Flash Player vulnerability ( CVE-2018-4944 ) that Adobe patched Vulnerability-related.PatchVulnerability earlier today . Below is a table listing of all the security issues Microsoft fixed Vulnerability-related.PatchVulnerability this month . We used PowerShell and the Microsoft API to assemble the table below , but the report is much longer . We hosted the full report on GitHub , here .

The bug was found Vulnerability-related.DiscoverVulnerability in the core infrastructure of Apache Struts 2 . The Apache Software Foundation has patched Vulnerability-related.PatchVulnerability a critical security vulnerability which affects Vulnerability-related.DiscoverVulnerability all versions of Apache Struts 2 . Uncovered Vulnerability-related.DiscoverVulnerability by researchers from cybersecurity firm Semmle , the security flaw is caused by the insufficient validation of untrusted user data in the core Struts framework . When Apache Struts uses results with no namespace and in the same time , upper actions have no wild namespace . The same opportunity for exploit exists when the URL tag is in use and there is no value or action set . As the bug , CVE-2018-11776 , has been discovered Vulnerability-related.DiscoverVulnerability in the Struts core , the team says there are multiple attack vectors threat actors could use to exploit the vulnerability . If the alwaysSelectFullNamespace flag is set to true in the Struts configuration , which is automatically the case when the Struts Convention plugin is in use , or if a user 's Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace . Man Yue Mo from the Semmle Security Research Team first reported Vulnerability-related.DiscoverVulnerability the flaw . `` This vulnerability affects Vulnerability-related.DiscoverVulnerability commonly-used endpoints of Struts , which are likely to be exposed , opening up an attack vector to malicious hackers , '' Mo says Vulnerability-related.DiscoverVulnerability . `` On top of that , the weakness is related to the Struts OGNL language , which hackers are very familiar with , and are known to have been exploited Vulnerability-related.DiscoverVulnerability in the past . '' The vulnerability affects Vulnerability-related.DiscoverVulnerability all versions of Apache Struts 2 . Companies which use the popular open-source framework are urged to update their builds immediately . Users of Struts 2.3 are advised to upgrade Vulnerability-related.PatchVulnerability to 2.3.35 ; users of Struts 2.5 need to upgrade Vulnerability-related.PatchVulnerability to 2.5.17 . As the latest releases only contain Vulnerability-related.PatchVulnerability fixes for the vulnerability , Apache does not expect users to experience any backward compatibility issues . `` Previous disclosures Vulnerability-related.DiscoverVulnerability of similarly critical vulnerabilities have resulted in exploits being published Vulnerability-related.DiscoverVulnerability within a day , putting critical infrastructure and customer data at risk , '' Semmle says . `` All applications that use Struts are potentially vulnerable Vulnerability-related.DiscoverVulnerability , even when no additional plugins have been enabled . '' Mo first reported Vulnerability-related.DiscoverVulnerability the findings in April . By June , the Apache Struts team published the code which resolved Vulnerability-related.PatchVulnerability the problem , leading to the release Vulnerability-related.PatchVulnerability of official patches on August 22 .